Attributes

Attribute value types are limited to:

string for UTF-8 strings
bytes for byte buffers
int for 64-bit signed integers
uint for 64-bit unsigned integers
for lists of values
map for associative arrays with string keys
timestamp for timestamps as specified by Timestamp
duration for durations as specified by
Protocol buffer message types

CEL provides standard helper functions for operating on abstract types such as getMonth for timestamp values. Note that integer literals (e.g. 7) are of type int, which is distinct from uint (e.g. ), and the arithmetic conversion is not automatic (use uint(7) for explicit conversion).

Wasm extensions receive the attribute values as a serialized buffer according to the type of the attribute. Strings and bytes are passed as-is, integers are passed as 64 bits directly, timestamps and durations are approximated to nano-seconds, and structured values are converted to a sequence of pairs recursively.

The following request attributes are generally available upon initial request processing, which makes them suitable for RBAC policies.

request.* attributes are only available in http filters.

Header values in request.headers associative array are comma-concatenated in case of multiple values.

Additional attributes are available once the request completes:

Attribute	Type	Description
request.duration	duration	Total duration of the request
request.size	int	Size of the request body. Content length header is used if available.
request.total_size	int	Total size of the request including the approximate uncompressed size of the headers

Response attributes

Response attributes are only available after the request completes.

response.* attributes are only available in http filters.

The following attributes are available once the downstream connection is established (which also applies to HTTP requests making them suitable for RBAC):

Attribute	Type	Description
source.address	string	Downstream connection remote address
source.port	int	Downstream connection remote port
destination.address	string	Downstream connection local address
destination.port	int	Downstream connection local port
connection.id	uint	Downstream connection ID
connection.mtls	bool	Indicates whether TLS is applied to the downstream connection and the peer ceritificate is presented
connection.requested_server_name	string	Requested server name in the downstream TLS connection
connection.tls_version	string	TLS version of the downstream TLS connection
connection.subject_local_certificate	string	The subject field of the local certificate in the downstream TLS connection
connection.subject_peer_certificate	string	The subject field of the peer certificate in the downstream TLS connection
connection.dns_san_local_certificate	string	The first DNS entry in the SAN field of the local certificate in the downstream TLS connection
connection.dns_san_peer_certificate	string	The first DNS entry in the SAN field of the peer certificate in the downstream TLS connection
connection.uri_san_local_certificate	string	The first URI entry in the SAN field of the local certificate in the downstream TLS connection
connection.uri_san_peer_certificate	string	The first URI entry in the SAN field of the peer certificate in the downstream TLS connection

The following additional attributes are available upon the downstream connection termination:

Upstream attributes

The following attributes are available once the upstream connection is established:

Attribute	Type	Description
upstream.address	string	Upstream connection remote address
upstream.port		Upstream connection remote port
upstream.tls_version	string	TLS version of the upstream TLS connection
upstream.subject_local_certificate	string	The subject field of the local certificate in the upstream TLS connection
upstream.subject_peer_certificate	string	The subject field of the peer certificate in the upstream TLS connection
upstream.dns_san_local_certificate	string	The first DNS entry in the SAN field of the local certificate in the upstream TLS connection
upstream.dns_san_peer_certificate	string	The first DNS entry in the SAN field of the peer certificate in the upstream TLS connection
upstream.uri_san_local_certificate	string	The first URI entry in the SAN field of the local certificate in the upstream TLS connection
upstream.uri_san_peer_certificate	string	The first URI entry in the SAN field of the peer certificate in the upstream TLS connection
upstream.local_address	string	The local address of the upstream connection
upstream.transport_failure_reason	string	The upstream transport failure reason e.g. certificate validation failed

Data exchanged between filters is available as the following attributes:

Note that these attributes may change during the life of a request as the data can be updated by filters at any point.

Wasm attributes

In addition to all above, the following extra attributes are available to Wasm extensions:

Attribute	Type	Description
plugin_name	string	Plugin name
plugin_root_id	string	Plugin root ID
plugin_vm_id	string	Plugin VM ID
node		Local node description
cluster_name	string	Upstream cluster name
cluster_metadata	Metadata	Upstream cluster metadata
listener_direction	int	Enumeration value of the
listener_metadata	Metadata	Listener metadata
route_name	string	Route name
route_metadata		Route metadata
upstream_host_metadata	Metadata	Upstream host metadata

Path expressions allow access to inner fields in structured attributes via a sequence of field names, map, and list indexes following an attribute name. For example, get_property({"node", "id"}) in Wasm ABI extracts the value of id field in node message attribute, while refers to the comma-concatenated value of a particular request header.